Electronic Spy Network Focused on Dalai Lama and Embassy Computers

An electronic spy network that infiltrated the computers of government offices, NGOs and activist groups in more than 100 countries has been surreptitiously stealing documents and eavesdropping on electronic correspondence, say a group of researchers at the University of Toronto.

More than 1,200 computers at embassies, foreign ministries, news media outlets and non-governmental organizations based primarily in South and Southeast Asia have been infiltrated by the network since at least the spring of 2007, according to the researchers’ detailed 53-page report. So have computers in the offices of the Dalai Lama, the Asian Development Bank and the Associated Press in the United Kingdom and Hong Kong.

Infected computers include the ministries of foreign affairs of Iran, Bangladesh, Latvia, Indonesia and the Philippines, and embassies of India, South Korea, Germany, Pakistan and Taiwan. Thirty percent of the infected computers could be considered "high-value" diplomatic, political, economic and military targets, the researchers say. Forensic evidence for the network tracks to servers in China, though the researchers are cautious about assigning responsibility to the Chinese government.

The largest number of infected computers in a single country were in Taiwan (148), followed by Vietnam (130) and the United States (113). Seventy-nine computers were infected at the Taiwan External Trade Development Council (TAITRA). One computer at Deloitte & Touche in New York was among those infected in the United States.

Although the network didn’t appear to have infiltrated any U.S. government computers, a NATO computer was spied on at one point, as were computers at the Indian Embassy in Washington and the permanent mission of Cuba to the United Nations.

According to a story about the research in The New York Times, the researchers began investigating the issue in June 2008 after the Dalai Lama’s office in Dharamsala, India — the location of the Tibetan government in exile — contacted them to examine its computers, which were exhibiting signs of infection. They found that the spy network had gained control of mail servers for the Dalai Lama’s offices, allowing the spies to intercept all correspondence.

The computers were infected either after workers clicked on an e-mail attachment containing malware or clicked on a URL that took them to a rogue website where the malware downloaded to their computer. The malware includes a feature for turning on the web camera and microphone on a computer in order to secretly record conversations and activity in a room.

The spy network continues to infect about a dozen new computers in various places each week, according to the researchers, who are based at the University of Toronto’s Munk Center for International Studies. The Times has a graph showing countries where computers have been infected.

The researchers say three of the four main servers controlling the network, which they’ve dubbed GhostNet (the malware used in the attack is the gh0st RAT program), are based on the island of Hainan in China. The fourth is based in Southern California. The language of the interface for controlling the network of infected computers is Chinese.

None of this proves that the Chinese government is behind the spying, as the researchers point out in their report, since it’s possible for a U.S. intelligence agency or any other country to set up a spy network in a way that would throw suspicions on the Chinese. But the Times reports a couple of incidents that suggest Chinese intelligence services might be behind the spying. In one incident, after the Dalai Lama’s office sent an e-mail to an unnamed foreign diplomat inviting her for a meeting, the Chinese government contacted her and discouraged her from accepting the invitation. Chinese intelligence officers also showed another woman who works with Tibetan exiles transcripts of her electronic communications. The Chinese government has denied it’s behind the spy network.

Tor is an anonymizing network that consists of hundreds of computer nodes set up around the world to encrypt and transmit data in a way that can’t be traced to the sender. Data on the Tor network is encrypted while it’s en route, but is decrypted at the last node — called the exit node — before it reaches the recipient. Egerstad had set up his own exit nodes on the Tor network and sniffed the data as it passed through his node unencrypted.

In this way, Egerstad was able to read about 1,000 e-mails in the vulnerable accounts that were passing through Tor and found some pretty sensitive information. This included requests for visas; information about lost, stolen or expired passports; and an Excel spreadsheet containing the sensitive data of numerous passport holders — including passport number, name, address and date of birth. He also found documentation about meetings among government officials.

A reporter for the Indian Express newspaper, using the leaked login information that Egerstad published at the time, accessed the account for the Indian ambassador in China and found details of a visit by a member of India’s parliament to Beijing and the transcript of a meeting between a senior Indian official and the Chinese foreign minister.

Egerstad didn’t find any U.S. embassy or government agency accounts that were vulnerable. But those he did find were accounts for embassies of Iran, India, Japan, Russia and Kazakhstan as well as the foreign ministry of Iran, the U.K. visa office in Nepal, the Hong Kong Democratic Party, Hong Kong Liberal Party, the Hong Kong Human Rights Monitor, the India National Defence Academy and the Defence Research
& Development Organisation at India’s Ministry of Defence.

Egerstad and I had concluded at the time that someone had likely infected computers belonging to embassy workers and human rights groups and was using Tor to anonymously transmit data that was being stolen from the computers. He’d inadvertently scooped up the stolen data as it was transmitting from the infected computers to another location.

Threat Level contacted a number of embassy and rights groups in China to notify them at the time that their computers were being spied on, but none of the groups responded. It seems clear now that Egerstad had tapped into data that was being stolen by GhostNet.

Two other researchers who also worked on part of the GhostNet investigation and are based at Cambridge University have written a report that focuses specifically on their investigation of computers belonging to the Office of His Holiness the Dalai Laima (OHHDL). The pair are less circumspect than their research partners at Munk about the likely culprit behind the attack. Their report dubs the spy network "snooping dragon" and clearly points the finger at the Chinese government and intelligence services.

They write that e-mails that OHHDL workers received that contained the infected attachments appeared to come from Tibetan co-workers. In some cases, monks received infected e-mails that appeared to come from other monks. The attackers seemed to target their infected correspondence at key people in the OHHDL office, including network administrators. In this way, the attackers likely gained login credentials for the mail server. Once they had control of the mail server, they were able to infect more computers by intercepting legitimate e-mail in transit and replacing clean attachments with infected .doc and .pdf attachments, which installed rootkits on the recipient’s computer that gave the attacker full control over the computer.

One monk reported that he was looking at his screen when his Outlook Express program launched on its own and began sending out e-mails with infected attachments.

The two Cambridge researchers do say at one point that they wondered if the attackers might have used Tor or another anonymizing service to conduct their attack, but they wrote that they found no evidence that the attackers were using Tor or another relay service.

I contacted the researchers to ask if they might have missed something about the Tor connection, since it seems clear that the attacks they researched are related to the information the Swedish researcher uncovered. One of them responded that they had looked only at the list of Tor nodes on the Tor directory from mid-2008 onwards and had not looked at nodes from 2007, when the Swedish researcher had captured the logins and passwords on his node. He said they’ll get back to me after they’ve looked into it further.